* SNAT spoofing problem
@ 2008-05-07 17:56 Gary Renshaw
2008-05-07 19:02 ` Gáspár Lajos
2008-05-07 21:12 ` Josh Cepek
0 siblings, 2 replies; 4+ messages in thread
From: Gary Renshaw @ 2008-05-07 17:56 UTC (permalink / raw)
To: netfilter
Greetings,
I am trying to get a host to reject pings with an ICMP host-unreachable
message so that it looks like the host doesn't exist. This is easy and
works nicely.
The problem is that I'd like to use SNAT to spoof the source address so
that the ICMP looks like it is coming from the network's gateway, not
the stealthy host. This isn't working the way I expected.
I've set up a very simple test rig for this.
192.168.1.1 (GATEWAY) <-----> 192.168.1.2 (STEALTH)
|
\--> 192.168.1.3 (WORKSTATION)
The stealth host is running a very simple "firewall" whose only purpose
is to block pings and respond with a host-unreachable alleging to be
from the gateway:
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -F -t nat
iptables -F -t filter
iptables -X
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
iptables -A OUTPUT -o eth0 -j ACCEPT
iptables -t nat -A POSTROUTING -o eth0 -p icmp --icmp-type \
host-unreachable -j SNAT --to 192.168.1.1
iptables -A INPUT -i eth0 -p icmp --icmp-type echo-request \
-j REJECT --reject-with icmp-host-unreachable
iptables -A INPUT -i eth0 -p all -j ACCEPT
From STEALTH I can ping anywhere (good). From WORKSTATION I can ping
anywhere except STEALTH which returns "host unreachable" (good) BUT the
message is reported as coming from 192.168.1.2 (bad). I've looked at
the packets in detail using wireshark and they really do say that they
are coming from STEALTH instead of GATEWAY.
It looks like the SNAT is doing nothing at all. What am I missing?
Thanks,
Gary
--
==============================================
Trilunar Consulting http://www.trilunar.ca/
==============================================
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: SNAT spoofing problem
2008-05-07 17:56 SNAT spoofing problem Gary Renshaw
@ 2008-05-07 19:02 ` Gáspár Lajos
2008-05-07 19:55 ` Gary Renshaw
2008-05-07 21:12 ` Josh Cepek
1 sibling, 1 reply; 4+ messages in thread
From: Gáspár Lajos @ 2008-05-07 19:02 UTC (permalink / raw)
To: Gary Renshaw; +Cc: netfilter
Gary Renshaw írta:
>
> It looks like the SNAT is doing nothing at all. What am I missing?
You are in one subnet.... NO PACKET GOES THROUGH your gateway...
>
> Thanks,
> Gary
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: SNAT spoofing problem
2008-05-07 19:02 ` Gáspár Lajos
@ 2008-05-07 19:55 ` Gary Renshaw
0 siblings, 0 replies; 4+ messages in thread
From: Gary Renshaw @ 2008-05-07 19:55 UTC (permalink / raw)
To: Gáspár Lajos; +Cc: netfilter
That's true but I thought that the SNAT would re-write the outgoing ICMP
packet so that its source address is 192.168.1.1 instead of 192.168.1.2
-- thus making it look to the receiver as if it had come from the
gateway instead of the stealth host. The gateway itself is not involved
except for being an existing host on the same subnet.
Do I need to do this some other way?
Gary
Gáspár Lajos wrote:
> Gary Renshaw írta:
>>
>> It looks like the SNAT is doing nothing at all. What am I missing?
> You are in one subnet.... NO PACKET GOES THROUGH your gateway...
>>
>> Thanks,
>> Gary
--
==============================================
Trilunar Consulting http://www.trilunar.ca/
==============================================
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: SNAT spoofing problem
2008-05-07 17:56 SNAT spoofing problem Gary Renshaw
2008-05-07 19:02 ` Gáspár Lajos
@ 2008-05-07 21:12 ` Josh Cepek
1 sibling, 0 replies; 4+ messages in thread
From: Josh Cepek @ 2008-05-07 21:12 UTC (permalink / raw)
To: Gary Renshaw, netfilter
[-- Attachment #1: Type: text/plain, Size: 1650 bytes --]
Gary Renshaw wrote:
> I am trying to get a host to reject pings with an ICMP
> host-unreachable message so that it looks like the host doesn't
> exist. This is easy and works nicely.
This will not do what you want for several reasons. On a local network,
the "host unreachable" condition is identified by the system _sending_
the pings when there is no ARP reply from the target host; this means
that any local host can know the "stealth" host is up from the ARP
reply. This method also won't work beyond most gateways unless you have
the cooperation of the gateway; most gateways are configured with
firewalls that prevent spoofing across subnets, and thus it will drop
any packets with invalid source addresses on them. In your diagram
anything upstream from the gateway would receive replies from the WAN
(or upstream) IP address, not the LAN, and the gateway won't (or at
least shouldn't) accept LAN packets sourced with an IP on a different
network.
If your goal is to hide the "stealth" host from clients on the local
network, it's pointless; ARP's give you away as a live host anyway, and
there's no way to "fix" that without breaking TCP/IP functionality
all-together.
> The problem is that I'd like to use SNAT to spoof the source address
> so that the ICMP looks like it is coming from the network's gateway,
> not the stealthy host. This isn't working the way I expected.
>
> I've set up a very simple test rig for this.
>
> 192.168.1.1 (GATEWAY) <-----> 192.168.1.2 (STEALTH)
> |
> \--> 192.168.1.3 (WORKSTATION)
--
Josh
[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 197 bytes --]
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2008-05-07 21:12 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2008-05-07 17:56 SNAT spoofing problem Gary Renshaw
2008-05-07 19:02 ` Gáspár Lajos
2008-05-07 19:55 ` Gary Renshaw
2008-05-07 21:12 ` Josh Cepek
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox